Strong customer authentication
As of 14 September 2019 payment service providers (PSPs) must apply strong customer authentication (SCA) where the customer:
- Accesses its payment account online;
- Initiates an electronic payment transaction;
- Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Strong customer authentication means that a PSP must ask the customer for two or more elements categorised as:
- Knowledge - something the user knows (e.g. PIN or password);
- Possession - something the user possesses (e.g. one-time password, phone or payment card);
- Inherence - something the user is (e.g. fingerprint).
The two elements requested by the PSP must be in different categories.
For remote payment transactions, strong customer authentication must also include elements which dynamically link the transaction to the specific amount and payee.
As a rule, payment service providers must apply strong customer authentication. However, in some cases, PSPs may choose not to apply strong customer authentication. These exemptions may be defined based on the transaction’s risk level, the amount, the recurrence and the payment channel used for its execution.
In cases where the payment service provider chooses not to apply strong customer authentication, the user cannot be held liable should the payment transaction be executed incorrectly, and the PSP takes responsibility for its decision.
For instance, toll payments using services such as Via Verde, recurring credit transfers or credit transfers to trusted beneficiaries, and payments under EUR 30 that meet certain conditions may be exempted from the application of strong customer authentication.
To supplement the PSD2, the European Banking Authority (EBA) has drawn up a set of regulatory technical standards (RTS) for strong customer authentication, which are included in Commission Delegated Regulation (EU) 2018/389 of 27 November 2017. This Regulation is directly applicable in all European Union Member States from 14 September 2019 onwards.
Chapter III of the Regulation sets forth the cases in which the payment service provider (PSP) may choose not to apply strong customer authentication. In particular, Article 17 establishes that PSPs may be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols, where the competent authority, i.e. Banco de Portugal, is satisfied that those processes or protocols guarantee appropriate levels of security.
Thus, Banco de Portugal has decided that PSPs may be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of the payment processes or protocols available here (in Portuguese only).
Those PSPs wishing not to apply strong customer authentication for these or other secure corporate payment processes or protocols must request permission from Banco de Portugal in advance.
The EBA has also published an ‘Opinion on the elements of strong customer authentication under PSD2’, providing a list of the authentication approaches that are or not considered to be SCA compliant, supplementing the information provided in the ‘Opinion on the implementation of the RTS on SCA and CSC’.
To provide additional clarifications to the market, the EBA has also published a set of questions and answers on the PSD2 that are available for consultation on its website.